Useless CSP

Aug 26, 2019

iCloud

Apple's iCloud has script-src 'unsafe-inline' and 'unsafe-eval.

$ curl -s -i 'https://www.icloud.com' | grep -Ei '^Content-Security-Policy:' | sed "s/;/;\\n/g"
Content-Security-Policy: default-src 'none';
script-src blob: 'self' 'unsafe-inline' 'unsafe-eval' *.apple.com *.cdn-apple.com *.apple-mapkit.com *.apple-cloudkit.com *.apple-livephotoskit.com;
style-src 'self' data: 'unsafe-inline' *.icloud.com *.apple.com *.cdn-apple.com;
img-src 'self' blob: data: icloud.com *.icloud.com *.apple.com *.cdn-apple.com *.icloud-content.com *.apple-mapkit.com;
media-src 'self' blob: data: *.icloud.com *.apple.com *.cdn-apple.com *.icloud-content.com;
font-src 'self' blob: data: *.apple.com *.cdn-apple.com;
connect-src blob: 'self' icloud.com *.icloud.com *.apple.com *.cdn-apple.com *.icloud-content.com *.apple-mapkit.com;
frame-src 'self' blob: mailto: tel: *.icloud.com *.apple.com *.icloud-sandbox.com *.icloud-content.com;
frame-ancestors 'self' *.icloud.com *.apple.com;
form-action 'self' *.icloud.com;
child-src blob: 'self';
base-uri 'self' *.icloud.com *.cdn-apple.com;
report-uri https://feedbackws.icloud.com/reportRaw
$